Australia’s Cyber-Security: Still more work to do
After a lengthy wait Australia’s 2020 Cyber-Security strategy has finally been unveiled and while it delivers a reasonable foundation on which to build there is still clearly much work to be done to deliver a truly comprehensive strategy for Australia.
A huge amount of work went into crafting this strategy with recommendations being delivered from many public and private organizations and individuals.
The Industry Advisory Panel, led by Telstra CEO Andy Penn, has seen some – but by no means all – of its recommendations incorporated into the new 2020 Cyber-Security Strategy.
Some of the key recommendations from the Industry Advisory Panel that made it through to the final 2020 Cyber-Security strategy include, but not limited the following:
- Strengthening the pipeline of skilled cyber security professionals
- Clearly defining all critical infrastructure and systems of national significance
- Appointing an Industry Advisory Committee to guide the Government on cyber security including on implementation of current recommendations.
However, to put it in the most basic terms, although there are some solid foundations now in place and a broad frame has been established there is a lot more to do before our Cyber-Secure fortress has walls and a rain-proof roof.
Some of the most important recommendations of the Industry Advisory Panel that would need further consideration were:
- Proactive mitigation strategies and strengthening of systems essential for end-to-end resilience of critical infrastructures.
- Measures to build trust in technology markets through transparency, such as product labelling.
- Promoting international law and increase operational-level cooperation with international partners.
- Getting major vendors to sign-up to a voluntary ‘secure by design’ charter to leverage international best practice.
- Working with industry to increase Australia’s role in shaping international cyber security standards.
- Encouraging diversity, transparency and competition in digital supply chains.
- Accelerating the adoption of appropriate standards to ensure digital products and services are ‘secure by design’.
- Implementing a dynamic accreditation or mandatory cyber security labelling scheme.
In a further development, the Federal Government will also release a voluntary Code of Practice on the security of the Internet of Things (IoT), to make the devices used by households and businesses more cyber secure.
The importance of Zero-Trust
As we all know technology these days – whether it’s software or hardware – can come from absolutely anywhere in the world.
As has been seen by the unconditional 5G ban on carriers to access technology of choice does not make countries any safer and causes serious ongoing political and trade-related issues, so banning technology simply because of its flag of origin is not the right approach.
That’s why we advocate for a Zero Trust approach to developing a Cyber-Security framework – everything and every elements should be checked and vetted thoroughly no matter where they come from.
Our position is that adopting a Zero-Trust approach can not only enhance security for existing 5G networks but also provide the framework for security architectures, as detailed by 5G Americas, in their recent white paper on “Security Considerations for the 5G era” .
5G brings about virtualization, slices on private cloud, public cloud, and hybrid models, including data centers located even in different jurisdictions. This concept of “5G without borders” could bring security concerns and the Zero-Trust model may mitigate them to an acceptable level.
Zero-Trust ensures that security is in place from untrusted domains (e.g., supply chain, Internet, user devices, other operators and partners) to and from within trusted domains (carrier networks).
Also, the Zero-Trust model meets the ETSI baseline requirements of the cyber security for the IoT.
In general, Zero-Trust is a Cyber-Security paradigm focused on security controls to prevent unauthorized access to data (resources) and services coupled with making the access control enforcement as grainy as possible, as defined by Scott Rose, Oliver Borchert, Stu Mitchell and Sean Connelly in the “Zero Trust Architecture”, National Institute of Standards and Technology (NIST), Special Publication 800-207.
This could be achieved by policy enforcement of geo-location, and mandatory authentication and authorization of peer entities to establish the needed verification.
For instance, in 5G, each element should utilize a robust code signing stack at both the silicon and software layers, so that all the layers involved can be trusted.
To achieve Zero-Trust, operators need to adapt a default “deny all” mentality and start opening up network lanes and endpoints according to the least privileges’ principle.
This new paradigm will allow the replacement of hardware and software in the network – with poor implementations – with physical and logical elements with substantially more trust built into the product(s) from the supply chain perspective.
Since Zero-Trust is an iterative process, operators must put in place proper network operations – including both centralized and distributed locations – to inspect and log all traffic, and, especially, monitor both physical and virtual infrastructure on an ongoing basis.
Zero-Trust augments a defense in depth – also known as layered defense, where controls of various types and kinds overlap each other in coverage – security strategy and cannot be achieved without the full participation of all the elements in the trust chain for a network.
In order to realize this vision in Australia, the Federal Government should establish a close collaboration with international industry partners, such as the 3rd Generation Partnership Project (3GPP) on 5G security assurance specifications (SCAS) and GSMA Mobile for Development Foundation (GSMA) on network equipment security assurance scheme (NESAS).
The Australian Federal Government should be a major player among those organizations, support the continuous evolution of the 3GPP 5G technical specifications with evolving usage scenarios, adopt the GSMA NESAS/3GPP SCAS for testing and evaluating telecoms equipment, and enforce a certification and accreditation process, against a predetermined set of security standards and policies, for security authorization in Australia.
David Soldani is the Chief Technology Officer at Huawei Australia